Switch to rustls and webpki-roots (#30025)

This change replaces OpenSSL with rustls and also the manually curated
CA certs file with webpki-roots (effectively the same thing, but as a
crate).

Generally speaking the design of the network stack is the same. Changes:

- Code around certificate overrides needed to be refactored to work with
  rustls so the various thread-safe list of certificates is refactored
  into `CertificateErrorOverrideManager`
- hyper-rustls takes care of setting ALPN protocols for HTTP requests,
  so for WebSockets this is moved to the WebSocket code.
- The safe set of cypher suites is chosen, which seem to correspond to
  the "Modern" configuration from [1]. This can be adjusted later.
- Instead of passing a string of PEM CA certificates around, an enum is
  used that includes parsed Certificates (or the default which reads
  them from webpki-roots).
- Code for starting up an SSL server for testing is cleaned up a little,
  due to the fact that the certificates need to be overriden explicitly
  now. This is due to the fact that the `webpki` crate is more stringent
  with self-signed certificates than SSL (CA certificates cannot used as
  end-entity certificates). [2]

1. https://wiki.mozilla.org/Security/Server_Side_TLS
2. https://github.com/briansmith/webpki/issues/114

Fixes #7888.
Fixes #13749.
Fixes #26835.
Fixes #29291.

components/net/Cargo.toml

@@ -6,7 +6,6 @@ license = "MPL-2.0"
 edition = "2018"
 publish = false
 autotests = false  # Inhibit lookup for tests/*.rs without [[test]] sections
-build = "build.rs"
 
 [lib]
 name = "net"
@@ -16,7 +15,7 @@ doctest = false
 
 [dependencies]
 async-recursion = "0.3.2"
-async-tungstenite = { version = "0.22", features = ["tokio-openssl"] }
+async-tungstenite = { workspace = true }
 base64 = { workspace = true }
 brotli = "3"
 bytes = "1"
@@ -33,7 +32,7 @@ generic-array = "0.14"
 headers = { workspace = true }
 http = { workspace = true }
 hyper = { workspace = true, features = ["client", "http1", "http2", "tcp", "stream"] }
-hyper-openssl = "0.9.1"
+hyper-rustls = { workspace = true }
 hyper_serde = { workspace = true }
 immeta = "0.4"
 ipc-channel = { workspace = true }
@@ -46,12 +45,12 @@ mime = { workspace = true }
 mime_guess = { workspace = true }
 msg = { path = "../msg" }
 net_traits = { path = "../net_traits" }
-openssl = "0.10"
-openssl-sys = "0.9"
 percent-encoding = { workspace = true }
 pixels = { path = "../pixels" }
 profile_traits = { path = "../profile_traits" }
 rayon = { workspace = true }
+rustls = { workspace = true }
+rustls-pemfile = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 servo_allocator = { path = "../allocator" }
@@ -61,16 +60,17 @@ servo_url = { path = "../url" }
 sha2 = "0.10"
 time = { workspace = true }
 tokio = { workspace = true, features = ["sync", "macros", "rt-multi-thread"] }
+tokio-rustls = { workspace = true }
 tokio-stream = "0.1"
-tungstenite = "0.19"
+tungstenite = { workspace = true }
 url = { workspace = true }
 uuid = { workspace = true }
 webrender_api = { workspace = true }
+webpki-roots = { workspace = true }
 
 [dev-dependencies]
 futures = {version = "0.3", features = ["compat"]}
 std_test_override = { path = "../std_test_override" }
-tokio-openssl = "0.6"
 tokio-test = "0.4"
 tokio-stream = { version = "0.1", features = ["net"] }
 hyper = { workspace = true, features = ["full"] }